Challenge Description
One of the clients of our company, lost the access to his system due to an unknown error. He is supposedly a very popular “environmental” activist. As a part of the investigation, he told us that his go to applications are browsers, his password managers etc. We hope that you can dig into this memory dump and find his important stuff and give it back to us.
First get the image info
In the description “environmental” keyword gives us a hint so lets scan environment variables
When we scan environment variables we can see there is a encoded string “ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9”
When we decode the string it gives us the first flag
,
User uses Keepass as password manager so we have to look file extension for keepass
Then we should search and dump the .kdbx file
Alright we dumped the file but we don’t know the password yet. Let’s go on investigating
I tried to search files have .txt extension or files named password but I can’t find anything about password
Then I tried to search password keyword with grep -i to ignore case and here, there is a file named Password.png
So let’s dump the fie
Good then I installed Keepass on my Windows 10 VM and I opened the password database in Keepass. And there is the second flag
In the description also browser is quoted so let’s look at the browser history
Dump the file
And open it in SQLite
When you browse history there is a link ”https://mega.nz/#F!TrgSQQTS!H0ZrUzF0B-ZKNM3y9E76lg”
Let’s check the link, there is a file named Important.zip. Try to unzip it
This zip archive is password protected. But there is a hint
Encode stage 3 flag from lab1 with sha and here is the password for zip archive
And there is the last flag in Lab 2
